TL;DR: Palantir has access to NHS data covering 55 million patients. The “unlimited access” headline was technically wrong, but the real problem is worse: a £330m contract with no enforceable oversight, no public audit trail, and a government that just ignored Parliament calling it an unacceptable risk.
The contract exists, and the access is real
Palantir won a £330 million contract to run the NHS Federated Data Platform in November 2023. This is not speculation. The contract is public, and its scope covers data from approximately 55 million patients across England. The platform connects existing NHS data systems so hospitals and integrated care boards can manage waiting lists, theatre schedules, and discharge planning.
Amnesty International UK called the arrangement “unlimited access” in a May 2026 report. That framing made headlines, but it is technically inaccurate. The contract specifies role-based access controls, and Palantir cannot freely query individual patient records without a legal basis under UK data protection law. The word “unlimited” does a lot of rhetorical work that the contract text does not support.
What the contract does grant is broad. Palantir is the platform operator. That means its engineers have privileged access to the infrastructure that processes pseudonymized data. Pseudonymization is not anonymization: it is technically reversible, and the NHS retains the keys. But whether those keys are adequately protected depends on implementation details that are not publicly auditable.
The gap between the contract text and what Amnesty described is where the actual story sits. It is not about a company running wild with patient files. It is about a governance framework that trusts the operator too much and verifies too little.
The governance model is the vulnerability, not the technology
Most coverage of this story frames it as a privacy problem. It is more accurately a governance problem. Palantir’s platform, Foundry, has technical access controls that can be configured to restrict data access at a granular level. The NHS has written policies on who can see what. On paper, the safeguards exist.
The issue is enforceability. The contract lacks independent oversight mechanisms with real teeth. The National Data Guardian has an advisory role but cannot block decisions. NHS England can audit Palantir’s data usage, but audit reports are not published proactively. There is no mandatory breach notification standard tied to public disclosure.
This is consistent with how Palantir operates elsewhere. In Argentina, the company deployed a system called the Social Digital Twin that integrates education, medical, and economic data across government agencies. The pattern repeats: the technology is competent, the contract is legal, and the transparency is minimal.
The UK’s contract includes a clause prohibiting Palantir from using NHS data for anything beyond the contracted services. But the contract also allows NHS England to add new use cases through change requests without a new procurement process. That means the scope can expand by administrative decision rather than public debate. The governance structure assumes good faith.
This is not a technical failure. It is a deliberate design choice to prioritize operational flexibility over verifiable constraint.
Three concrete things that would make this arrangement safer
It is easy to say “cancel the contract.” It is harder to do, and it avoids the question of what would replace the platform. NHS data interoperability genuinely needs improvement, and the platform addresses real operational problems. The question is how to constrain the arrangement so that trust is not the only safeguard.
Mandatory published audit logs with data access granularity. The single highest-impact reform would be requiring Palantir to publish structured audit logs showing every data access event: who queried what, when, and under which legal basis. These logs should be pseudonymized where necessary but machine-readable and independently reviewed. If Palantir cannot produce this for commercial sensitivity reasons, the data should not be on their infrastructure.
A sunset clause tied to NHS-owned infrastructure. The contract should include a binding timeline for migrating the platform to NHS-owned and operated infrastructure. Palantir can build it, configure it, and train NHS staff on it. But the end state must be an NHS-controlled environment where Palantir is a vendor, not an operator. Without this, the arrangement becomes permanent by default.
A public change request register. Any change request that expands data scope or adds a new use case should be published on a public register before implementation, with a mandatory comment period. This does not require new legislation. It can be written into the contract as an operational requirement. Sunshine is the cheapest and most effective regulatory tool available.
These are not radical proposals. They are standard governance practices in regulated industries. The fact that none of them are in the current contract is the real story Amnesty should have led with.
June 3, 2026: Parliament moves. The government doesn’t.
On June 3, 2026, the cross-party House of Commons Science, Innovation and Technology Committee published a 70-page report calling Palantir “an unacceptable point of weakness” in the UK public sector. The committee recommended that the government exercise the 2027 break clause in the NHS contract and either develop an in-house replacement or find a UK-owned alternative more compatible with British values.
The same day, Palantir won a new £9 million contract to build a national firearms database. No competitive tender. The committee’s report was published in the morning; the new contract was announced in the afternoon.
The government has not responded publicly. The contract stands. The governance gaps remain. The parliamentary pressure is real, but without a formal government commitment to exercise the break clause before February 2027, the recommendation is advisory. Palantir knows it.
Who needs to care about this now versus who can monitor
If you work in NHS IT, clinical governance, or data protection, this affects your professional obligations immediately. You may be asked to integrate with the platform or handle data that flows through it. Document your questions in writing. Ask about audit trail access. Ask about your obligations under UK GDPR when pseudonymized data moves through a third-party platform. If you get ambiguous answers, escalate in writing.
If you are an NHS patient, your individual records are not at higher risk today than they were before Palantir’s contract. The NHS already shares data with hundreds of third-party vendors under similar governance arrangements. The Palantir deal is larger in scale and higher in profile, but the structural privacy risks are not novel. If you are concerned, the most effective action is to request a National Data Opt-Out, which prevents your data from being used for purposes beyond your direct care.
If you are a policymaker or journalist, the angle worth pursuing is not “Palantir has unlimited access.” It is “Palantir’s contract lacks enforceable constraints, and Parliament just said so out loud.” That is a solvable problem with specific, boring regulatory answers. The drama distracts from the fix.
Operating as if governance will not save you
The NHS chose Palantir because it needed a platform that works at scale, and Palantir has a demonstrated track record of making complex data interoperable. The problem is that the contract treats governance as a secondary concern rather than a primary requirement. That is not unique to Palantir. It is how most large government IT contracts work.
The operational conclusion is straightforward. If you are responsible for NHS data governance, operate on the assumption that the platform provider will have access to more data than the contract implies. Not because Palantir is malicious, but because platform operators always have privileged visibility, and the controls that limit that visibility are only as good as their enforcement. Document everything. Demand audit trails. Build your own monitoring where possible. Do not rely on contractual language as your only defense.
The Amnesty report got attention. The parliamentary committee added institutional weight. But the fix is enforceable transparency, and that is entirely achievable if anyone with authority decides it matters before February 2027.